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(54) ntle: VIRTUAL MEETINGS 

(57) Abstract: System, method, signal, operating model and conywter program for conducting a meeting over an electronic net- 
work. The method comprises steps of providing the eligible participants with a notice of die upcoming meeting at an address to 
which they have consented to receiving such notices. The method further comprises secure communications during the meeting 
between the several eligible participants attending such meeting. Moreover, the method of the meeting over an electrode network 
of tiie present invention provides for secure voting by the several eUgible participants attending the meeting in accordance with Ihdr 
respective voting rights. 
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VncrUAL MEETINGS 
FIELD OF THE INVENTION 

The present inventioii relates to a method and systOTi for providing 
secure meetings on a wide area network such as the glohal compnta: network, or on a 
6 local area network. Among things, the present invention permits those attending the 
meeting on the netwodc to vote securely by an electronic transmission. 
BACKGROUND OF THE INVENTION 

The prior art has considered various means of voting via electronic 
communication networics, for instance flie procedures described in of U.S. Patent 
10 AppUcations Nos. US 2002/0087394 of Zhang published July 2, 2002; US 
2002/0095389 of Gaines published July 18, 2002; US 2002/0103696 of Huang et al. 
published August 1, 2002; US 2002/0133396 of Bamhart et aL published September 19, 
2002; and US 2002/0138341 of Rodriguez et aL published September 26, 2002, each of 
which is hereby incorporated by reference. 
16 However, such voting methods have not considered the particular needs 

of for instance, a shareholders meeting. Among particularities, shareholders meetings 
are governed by the law of the jurisdiction under which they are formed, and many 
jurisdictions have unique requirements. Given the prevalence of Delaware as tiie state 
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of incoiporatioii of American coiporations, it is prefared that any secure means of 
electronic communication is adopted to conform to tbe requiiemoits of Delaware 
Corporate Law. 

Othas have atten?)ted to adapt electronic communications to virtual meeting 
6 that conform to the lequiremmts of Delaware Corporate Law. For instance, Marie S. 
Britton, Electmnic Stockholder's Meetings - Delaware Begins the Next Chapter. 
CORPORATE GOVERNANCE ADVISOR (Sept/OcL 2000); Jesse A. Finkelstein, 
Shareholder Meetings in Cyberspace: Will Your Next Meeting Location Be a Website?, 
INSIGHTS (June 2000); and C. Stephen BiglCT, 2000 Amendments to the Delaware 
10 General Corporation Law, INSIGHTS (Aug. 2000), each of which is hereby 
incoiporated by reference with respect to flieir disclosure of virtual meetings. 
SUMMARY OF THE INVENTION 

TTie present invention provides a method of remote communication that 
fecilitates confidential and secure decision making in corporate or oflier bodies in 
15 accordance with {^jplicable legal procedures. Desirably, a shareholder is able to 
express his views on issues submitted to flie shareholders by means of an electronic 
transmission that is bolh secure and verifiable. In one embodiment of flie present 
invention, a means of communication sudi as telephone, electronic bulletin board, 
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e-mail, instant messaging, the Internet, webcasting, video streaming, or any other form 
of electronic transmission and physical meetmgs or any combination fliereot using 
vCTification and encryption technologies to ensure that flie identity of each person 
entitled to vote has been vmfied (heremafter an "Authorized Voter**) and that the voting 

6 process is free from tampering 

The method of the present inveation may be used to fecilitate voting at meetings 
of a wide variety including, but not limited to general or special shareholda meetings of 
corporations, partnership meetings, meetings of membership associations and 
not-for-profit corporations, bond holda meetings, and meetings among unit-holders of 

10 unit trusts or similar vehicles (each of the foregoing being hereafter referred to as the 
Tompan/0 or meetings of the Board of Directors of a Conqjany, where such voting 
may be conducted, in whole or part, by electronic means, in accordance with applicable 
law. 

The method of the present invention is designed to be employed in Japan, the 
16 various states of the United States and those jurisdictions in Western Europe whwe 
electjonic voting is permitted. The method is to be used in conjunction with 
customary corporate or other governance procedures during the conduct of a duly 
authorized meeting and is intended to enable such meetings tiirough electronic means. 

3 
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IQ general, flie metiiod of holding ameeting of the present invaition includes 

aplurality of the following steps: notice to the eligible participants; convocation of the 

meeting; commencement of flie meeting, conducting the meeting polling flie attendees 

on matters put to a vote of die eligible participants at die meeting; conducting any 

5 finflier business; closing the meeting; and ancillary Steps such as providing notice, 

obtaining consents, delivering documents and permitting solicitations of votes of 

eligible participants. 

1. Notice, ti a preferred embodiment oflhepresaitinvaition, notice 

of the convocation of the meeting is given by e-mail or other electronic means (in 
10 addition to odier communication means, if desire^, no later dm die minimum nmnber 

of days required by applicable law for such notice. For instance, if the organization 
holding die meeting has flie e-mail addresses of its eligible participants and such 
participants have consented to receiving notice by e-mail, die organization smds such 
partidpants notice of an upcoming meeting by e-maiL 
15 In one embodiment of flie present invention, prior to die meeting, eligible 

participants are permitted to access die list of eligible participants in a manner diat 
Qiables dion to send out materials to die odia eligible partidpants. For instance, an 
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eligible participant could send out materials soliciting vot^ for a Board of Directors 
difEerent fiom the slate of Directors nominated by managment 

In an alternative embodiment of tiie present invention, notice may be 
given effectively to eligible meeting participants as s^ forth in relevant statutes, the 

5 certificate of incorporation, or the b^aws shall be effective if giveai by a form of 
electronic transmission consaited to by the eligible participant to whom flie notice is 
given. Any such consent shall be revocable by the eligible participant by written notice 
to flie organizatioa Any such consent shall be deemed revoked if (1) the organization is 
unable to deliver by electronic transmission 2 consecutive notices given by the 

10 organization in accordance with such consent and (2) such inability becomes known to 
the secretary or an assistant secretary of the organization or to the transfer ^ent, or 
other pCTSon responsible for flie giving of notice; provided, howev^, the inadvertent 
fidlure to treat such inability as a revocation shall not mvalidate any meeting or other 
action. 

15 Desirably, when notice is given by a posting to a website by the 

organization, and the organization provides the eligible participants with notice of the 
posting, the secretary or other agent of the organization makes a record of the facts. 
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2. Convocation. On flie day and at the time set for the convocation of 
flie meeting as set forth in the notice, an appropriate officer of the Company shall catify 
that a quorum is present or rq)resented by proxy. Presence or attendance at the 
meeting shall be demonstrated by physical presence^ encrypted e-mail, or oflier secure 
means. In one embodunenl of flie present invention, eligible meeting participants log 
in to a website and once logged in, they are present for the meeting until they log off. 
Following convocation of the meeting, the appropriate officer shall execute all other 
formalities required by applicable law prior to commencement of the meeting. 

In a particularly prefoied embodiment of the present invention, eligible 
meeting participants log in to a secure website that records their present at the web 
meeting. Additionally, the website is able to poll the logged in participants at some 
predetemiined interval, for instance once every 5 or 10 minutes, to ensure that the 
participant is still in attendance. If flie participant does not respond to the polling, the 
participant is considered to have left the meeting and is not counted for quorum or oflier 
purposes until they log in again. 

3. Commencement of Meeting. The Chairman ofthe meeting shall 
call the meeting to ord^ and make all statem^ts normal and customary at such time. 
All statements by any officer of the Company and any Authorized Voter shaD be 
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recorded and immediately transmitted to all Authorized Voters and Coiiq)any officers 
attending tiie meeting. The Oiaiiman of fte meeting shaU execute aU other formaU 
required by applicable law following commenconent of the meeting. 

In one embodiment of the present invention, the meeting is conducted on a 
5 website. For instance, there can be a wdKast of a physical meetmginchiding the 
or the meeting could consist of a plurality of pages posted to the website that are 
progressively made available as the meeting progresses. One or more of these p^ 
could have audio files corresponding to text files or instead of text 

4. Conduct of Meeting. The Chairman of the Meeting shall make 
10 such reports as shall be required by q>plicable law or thou^ desirable by the Chairman. 
Other officers or people designated by the Chairman shall also make such reports that 
are necessary or desirable. All such reports and communications shall be recorded and 
concunently transmitted to all Authorized Voters and Conq)any officers. 

Additionally, the chair could peraiit one or more of the eligible meeting 
16 participants to make their own presaitations. hi one embodiment of the present 
invention, there is a time delay fiom the submission of a webpage &(m a particq)ant 
before the submitted page is posted to enable the chair, or one or more persons acting on 
behalf of the chair, to vet any submitted pages to ensure that the submitted pages 

7 
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conq)Ort witii any applicable standards for submissions fiom persons attending the 
meeting. For instance, the submitted page covdd addiws a matta of corporate 
governance that the laws governing the organization reserve exchisively for the Board 
of Directors. In such a case, the chair, or his designee, could lawfully withhold the 

5 posting of such matoial. 

5. Voting. The Chairman ofthe merger other officer of the 

Company shall put forth proposals that are to be voted upon by Authorized Voters. 
Following each proposal, discussion on each such proposal may take place using any of 
the communication means set forth above. Thereafter, the Chairman or other officer of 
10 the Company shall call for a vote. A vote on each proposal may be cast by paper ballot 
or encrypted electronic baUot (an e-ballot), or otha form of electronic transmission. 

Following each vote, an appropriate officer shall record the results of 
the vote in the Conq)any records and make the results known to the Authorized Voters in 
accordance with Company procedures. At the end of the voting, the Chairman or other 

15 officer will close the polls. 

Heretofore, currat approaches to provide a secure voting systan on a 
wide area or local area network have traditionally enq>hasized purely cryptographic- 
protocol-based solutions to secure Hie voting. The work done to date is largely purely 
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research into specific issuK in secure electronic voting and does not address the 
practical application into a real-world system. The prior ait has approached worldwide 
area network, for exanq)le, on the ^obal computer network known as flie btemet, 
elections as an extension of secure, electronic commerce techniques without providing a 
6 comprehensive approach to flie significant threats, vuherabilities and risks fliat threaten 
the security, authenticity and rehability of such elections. 

Electronic transmission elections must achieve the objective of 
conventional elections, specifically: "democracy'* (only registered citizens may vote m 
accordance with their respective voting ri^ts - for instance, the vote of a holder of 
10 1000 shares will be accorded ten times the weight of the vote of the holder of 100 
shares), accuracy (votes may not be altered, forged or deleted), "privacy" (no one may 
know how anyone else voted or prove how they voted), and "verifiability" (everyone 
should be able to verify their own ballot, as well as the correctness of the entire 
election). Moreover, electronic transmission elections address additional cq)abilities: 
16 "mobility" (individuals should be able to vote from any Memet-accessible location, at 
any legal time), "convenience" (voting should be ^mple and convenient for everyone), 
and "flexibility" (the technology should be applicable to all elections). 
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Eledronic transmission voting systms must achieve these objectives in flie 
fece of both conventional election threats, and threats specific to automated, distributed 
computer systans, including: fraud, abuse of privilege (privUeged individuals may act 
in^ipropriately), denial of service (computer services may be impaired or rendered 
inaccessible), software flaws, tampering (of recorded ballots or other data), maUcious 
software, wirehqiping (sniffing, modification or replay of communications), vote selling, 
or masquaading (by client/saver con^uteis or by people). 

The prior art has taken several approaches towards electronic transmission 
election systems. Electronic commerce or E-Commerce approaches rely on securing 
communications through enorypted connections and verifying individual identity only 
through weak or single-fector authentication (e.g., passwords). Encrypted Absentee 
BaUoting systems emulate conventional absentee balloting by usmg ballots that are 
doubly encrypted using symmetric keys. Cryptographic protocols, particularly those 
relying on asymmetric or pubUc-key cryptography hold the greatest promise but have 
been relegated largely to the academic community. 

All fliese techniques have characteristic weaknesses. B-Commerce techniques 
secure only voter-system communications. They provide weak authentication and no 
(strong) mechanisms fijr achieving democracy, privacy, accuracy or verifiability. 
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Encrypted Absentee BaUot systems provide better privacy, but provide no stronger 
mechanisms for democracy, accuracy or veiifiabiUty, and are vuherable to abuse of 
piivaege, potentiaUy compromising the keys used to ensure privacy. Many of the 
cryptographic piotocob developed to date are complex, making implementation 
verification difficult PubUc-key cryptography and digital signature techniques 
promise strong authentication, accuracy and verifiabiUty. However; the generation and 
distribution of pubUc-private (secret) key-fairs, and the piotBction of private keys, 
makes these techniques difficult to apply to large-scale appUcations such as electronic 

transmission voting. 

Specifically, it has been recognized fliat existing private-key managonent 
techniques, i.e., PKI approaches, are not acceptable if they require the end users to buy, 
install or configure anything, or require any particular type of cUent device. Such 
considerations become particularly significant when there maybe huge numbers of end 
users, for example, 100,000 to 1,000,000, such as may be the case in an electioa 

It is recognized fliat PKI technology sapports flie use of publickey 
cryptography by providing various means to generate publioimvate (secret) key pairs, 
protect access to the private (secret) key so that it can be used only by the individual 
with whose identity it is associated, and provide for distribution and convenient access 

11 
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to the public key. Common strategy involves generation of public/secret key paiis on a 
user's personal conq)uter by an s^jplication such as a web browse, storage of the private 
key within a personal identification number (PIN) protected, oicrypted key-store file on 
the usrfs personal conqjuter (PQ, and exportation of the public key to a certificate 
authority, for wcample, where it is msppei in a distal certificate, such as an X.509 
digital certificate, and made available for public access on a lightweigjit directory access 
protocol (LDAP) certificate directory service. 

Hds approach has advantages in that it is convenient and the private keys never 
leave flie user's PC. Disadvantages result, however, because even though the private 
keys are protected in PIN-based encrypted files, PCs offer little protection against 
key-store cryptoanalysis by malicious software, and user mobility is inq)aired as it 
requires effort to export a private key so that it can be used on another platform. 

An altemative strategy involves generation of public/secret key pairs on a 
secure platform raflier than the user's PC, for exan5)le, a server. Yet still fintfier, the 
qjproach involves storage of the private key, and pedi^s other authentication-related 
data, on a storage device such as a password-encrypted floppy disk, or on a 
password-protected token/dongle, Java-ring (iButton) or smart card devices, as well as 



12 



wo 2004/059550 



PCTAJS2002/041357 



exportation of public keys and digital cstificates as described with respect to flie first 
approach. 

One advantage of this zpprozxAx is that the private key is more easily accessed 
ftom various conqjuters, facilitating mobility, so long as there is a hardware int^face for 
6 the private-key device. In addition, the private key is better protected wifliin a 
removable device. Resultant disadvantages include the fact that the server must be 
verified not to make/leave copies ofthe private key. In addition, there must be some 
sort of hardware interface to allow retrieval ofthe key ftom the storage device, e.g., disk 
drive, USB port, iButton/smart card reader, etc. Yet still furttier,th^ hardware 
10 interfaces maybe expensive, difficult to install/configure, and may not be universally 
available, bus mhibiting mobility. 

The advantages and disadvantages of the above-identified two approaches have 
led to a third ^roacL In tihe third approach, generation of public/secr^ key pairs is 
done on a secure platform other than the user's PC, for example, a server. The secret 
15 keys are stored in encrypted form on the secure servw and downloaded to the client 
over a secure networic connection as needed to support authentication, digital signature 
or encryption operations. The server must authenticate flie user by some 
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non-PKI-based method before allowing the user to download their private key. In most 
cases, this will still require some authentication device. 

While providing further refinem^ts and including advantages such as 
convenience and mobility being improved because private keys are always available 
5 fiom a network server, and lU) hardware interfaces are required on the client device, 
sigDificant disadvantages still remaiiL 

Initially, it is noted that there is a need for a secondary strong autiientication 
technique that requires hardware token siqjport, e.g., SecurelD. In addition, such 
hardware tokens incur additional expense, and private keys are stored on a secure server 
10 using one or more keys known to the server, thus requiring the server to protect access 
to and use of these keys. 

In all three qjproaches described, retrieval of private keys fiom local/nrtwork 
storage is required for use within the memory of a PC or thm-client device, and exposes 
the key to potential cofnpromise. Only tokens with processors can perform the 
15 necessary cryptographic operations without exposing the private key. None of the 
25>proaches offer sufficient security, mobility and convenience at a sufficiently low cost 
to make public^rivate key cryptographic services, e.g., authentication, non-repudiation, 
encryption, attractive for applications with a potentially large number of users such as in 
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the case of an election with users numbering from anyi^ae between 100,000 to about 
10,000,000. 

In Older to make public/private key cryptographic services feasible for such 
^plications, ther« must be a low-cost way to generate pubUc/secret keys, while 

5 providing secure storage fijr and acc^ to those keys witiiout requiring special hardware 
or inconvenient procedures. Hiese advantages and other advantages are provided by 
the system and method described herein, and numerous disadvantages of existing 
techniques are avoided. 

hi accordance with one aspect of the invention, there is provided a 

10 method of securely voting over a network, which can be a local area network, or a wide 
area networic such as the global conq)uter network known as the Internet Hie method 
involves delivering an electronic ballot from a server with a vote serial number on the 
ballot, to an individual at a terminal over a connection secured using both the server's 
and flie voter's private keys. Thereafter, the ballot is filled in with the voter's choices, 

15 which are digitally signed using the voter's private key. The voter's ballot choices, 
bearing the voter's electronic signature, and the vote serial number is then delivwd to 
the server. A data elem^t is then created from the individual's digital signature of the 
ballot choices, the server's digital signature of the votrfs ballot choices (oreated using 

16 
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the servo's private key) and the vote serial nranber to allow recoiding of the subset of 
the ballot in a data store at the server; and idaining die ballot information as a vote. 
This data element is then digitally signed using the server's private key to ensure its 

integrity and authenticity. 
6 As described herein, the terms "individual", "user", "cUent", and "voter" 

arc used interchangeably, and refer to a person on their own terminal which can be a 
personal computer or other like device on which voting in accordance vnth the method 
and system herein is achieved. 

In a more specific aspect, the retaition of the vote at the server can be 
10 confinned by signing the individual's signature of the baUot, the server's signature of the 
ballot, and the vote swial number, and the signed confirmation is transmitted to the 
individual who submitted die ballot 

Yet still furflier, the method invohres recording in flie server's data store 
, the server's digital signature of the baUot to allow verification at the server that all of the 
15 ballots cast have not been tampered with. 

In a more specific jqiplication, vMe the ballots are initially described as 
being generated as an HTML document, to provide additional security, in an alternative 
form die ballot can be generated in bit-msp fbnm sudi diat the intentions of the voter or 
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individual voting may be detennined by monitoring tiis (x,y) coordinates of their 
mouse^slicks on the ballot bit-map. This provides enhanced security, since to read 
bit-nup documents requires advanced optical character recognition technology, which 
in turn requires and imposes a large computing power overhead, thus making malicious 
6 hacking into the system significantly more difficult and detectable. 

In an alternative aspect, there is described a system for conducting secure 
voting over a network, for example, the global coiiq»utCT networic known as the Internet, 
or on a local area network. The system includes a server havmg a data store associated 
therewiflL The server is configured for connection to flie networic for communicating 
10 witti terminals connected to the network. The server is further configured for 
delivering an electronic ballot having the vote serial number on the ballot, to an 
individual at a terminal connected to the network, and the ballot being configured for 
being filled in by the individual, and for having a subset thereof delivered to flie server 
with the mdividual's electronic signature, and the vote serial number thereon. 
15 Yet still fijffther, tiie server is further configured for receiving tiie ballot 

choices and creating a data element from the electronic signature of the individual's 
ballot choices, the server's electronic signature of the individual's ballot choices, and the 
vote serial number to allow recording of the ballot choices in the data store and retained 
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therein as a vote. This data elanent is then digitally sipied using the server's private 
key to Qisure its integrity and authenticity. 

In a further aspect, the servw is programmed for confirming ration of 
die vote at die data store by signing the individual's sigoature of the ballot choices, the 
server's signature of the ballot choices and flie vote serial number, and thereafter 
transmitting the sign«l confirmation to the individual who submitted the ballot 

Yet still further, the system provides that the server is programmed for 
recording in the data store the serves digital signature of the ballot choices for allowing 
verification at the server that all of tiie ballots cast have not been tanq)ered with. 

In a still furflier aspect, the system is capable of generating the ballot as 
either a bit-map or an HTML documaiL The advantage of the bit-map document is 
that tampering or hacldng becomes more difficult because bit-mq) documents require 
optical character recognition as previously discussed, such that malicious hacking is not 
easily achieved without detection. 

6. Furdier Business. The Chairman may elect to continue the meeting 
to discuss further business, followed by questions and answers, using all of the 
foregoing communication means. 
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7. Close of Meeting. The Chaiimanofthe meeting shall declare 
the adjouniment of ttie meeting at the close of its business. 

8. Other Procedures. If permitted by applicable law, the system 
d^cribed herein may be used to complete all other corporate procedures sudi as the 

5 solicitation and receipt of consents, waivers, or flie posting and delivery of corporate 
notices, documents, or a corobination thereof. 
Brief Description of the Figures 

Figure I illustrates a preferred embodiment of the notice to potential meeting 
attendee aspect of the present invention; 
10 Figure 2 illustrates a preferred embodiment of the initiation of the virtual 

meeting of the present invention; 

Figure 3 is a systOTi-level architectural view of how an operational system 
iaq)lementing electronic transmission voting over a network, such as the global 
con^uter network known as the Internet, can be configured; 
16 Figure 4 is a block diagram illustrating the flow of the electronic ballot and 

associated data elanents between an individual or client side, and a server side, 
managing the electronic transmission voting method; 

Figure 5 is a block diagram showing in greater detail the components, and data 
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iBfonnation exdiange illustrated in HGS. 3 and 4; and 

Figure 6 is an architectural diagram showing in greats detail how a systan and 
metho d as desmbed herein could be dq)loyed onabroadbasisona netwoi sudi as the 
global computer network known as the Internet 

Detailed Description of the Preferred Pmhndmients 

It is preferred that the electronic transmission used effectuate any eligible 
participant voting in an embodiment of the present invention is able to create a record 
tiiat may be retained, retrieved and reviewed by a recipient thereof and that it may be 
directly reproduced in papa: form by the recipient througji an automated process. 

It is further preferred that any eligible participant making a presentation at a 
meeting according to the present invention can be heard by each of the other eligible 
participants attending the meeting. 

It is yet further preferred that any meeting of eligible participants conducted 
according to the present invention is recorded in a format that can be retrieved 
subsequently to reasonably verify fliat the proceedings occurred and that the meeting 
was conducted in a substantially furmarmer 

It is still further prefenred (hat a list of ttie eligible participants entitled to attend 
and vote at the meeting is available to the other eligible partic5}ants, upon verification 
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of their status as and eligible participant entitled to attend and vote at the meeting. It is 
even further preferred fliat the list of eligfcle participant s entitled to attaid and vote is 
available to such eligible participant s for at least the period of time from the posting of 
the notice of meeting until tiie end of tiie meeting. 

It is also prefeired that the organization holding the meeting maintains a 
database of its eligible participant s inchiding flie address 0>hysical and electronic) of 
the eligfcle participants and which, if any, means of electronic transmission by which 
the eligible participants consent to receive notices from the organization holding the 
meeting. 

Tuniing now to Figure 1, organization 1 widring to conduct a virtual meeting 
retains virtual meeting host 2. At some time prior to the virtual meeting, organization 
1 provides each of the prospective meeting attendees 3 with a notice of the upcoming 
meeting. Desirably, said notice of tiie upcoming meeting conforms to all flie formal 

requirements of sudi a notice. 

For instance, if organization 1 is asocial club with a set of by-laws that specifies 
what must be included m the notice of a meeting of organization 1, then this notice 
should conform to those by-laws. Alternatively, if organization 1 is a corporate entity 
and it seeks to have a meeting of its shareholders, for instance a special meeting of tiie 
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shareholders, aad if tiiexe are laws governing what must be in any notice of a 
shareholder meeting, then this notice should confbnn to such laws. For exanq)le, the 
notice might specify the date and location (either physical or virtual) of the upcoming 
meeting as well as an agenda of items to be considered at such meeting. 
5 If organization 1 does not have the electronic address for eadi of the prospective 

meeting attradees 3, the notice might also solicit the same. 

Topically, if organization 1 wishes to hold a virtual meeting, it retains a vfatual 
meeting host 2. On retaining the virtual meeting host 2, organization! provides virtual 
meeting host 2 with electronic address information for each of the prospective meeting 
10 attendees 3. Desirably, the notice ofthe upcoming meeting asks tiie protective 

meeting attendees 3 to forward their electronic addresses to said virtual meeting host 2. 

Once organization 1 has provided notice to the prospective meeting attendees 3 
and retained virtual meeting host 2, virtual mating host 2 contacts each prospective 
meeting attendee 3 to arrange for the prospective meeting attendees 3 to have the 
16 software necessary to attend the virtual meeting electronically in a secure and encrypted 
&sbion. 

Once each of the prospective meeting attendees 3 has their notice and necessary 
software, the prospective meeting attwidees 3 can then install such on their respective 
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workstations. Thereafter, at, or shoitty before the date and time set foiA 
meeting notice, the prospojtive meeting attendees 3, as shown in Figure 2, can 
communicate with virtual meeting host 2 and log onto the host's system, thereby 
entering the virtual meeting space. 
5 b an altemative embodiment of flie present invention, in addition to permitting 

an appropriate person - e.g., a member of an organization or a shareholder - to attend a 
virtual meeting electronically, the virtual meeting system of tiie present invention can 
permit such an a^ypropriate pason to designate, or revoke a prior; proxy for the purposes 
ofattending and acting at the meeting. Indeed, the virtual meeting system of the 
10 present invention can permit a person to attend one or more parts of a merting and 
designate a proxy for any other parts of said meeting. 

hi a further altemative embodiment of the present invention, instead of using 
digital certificates to anttienticate electronic admission to the virtual meeting, another 
means of remote authentication is used such as a password or biometrics. 
15 In a further altemative embodiment of the present invention, using a means of 

electronic autiientication, the prospective meeting attendee is given access to materials 
relevant to such a meeting. For instance, if tiie meeting is a listed Conq)any 
shareholders' meeting, the prospective meeting attendee can be g^ven access to the 
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shareholder list, can deliver and receive electronic consents, proxies, options, warrants 

and other docum^ts. 

In a preferred embodiment of the present mvaition, when the virtual meeting 

attendee is logged into the meeting, the attendee's workstation has a plurality of 
6 windows available having inforaiation that might be relevant to the meeting. For 

instance, when the virtual meeting is a shareholders* meeting for a listed Conqpany, the 

prospective meeting attendee's workstation can have open windows that display flie text 

of any financial statemaits, proxy statements, security filings, resolutions to be 

considered at the virtual meeting, or other business records. 
10 Fvflm ple 1 

Di one embodiment of the present invention, in preparation for the virtual 
meeting, the organization desiring to hold a virtual meeting retains a virtual meeting 
host 

Prior to the virtual meeting, the virtual meeting ho st gives each person 
16 aufliorized to attend tiie virtual meeting (i) a notice of flie meeting consistent with any 
applicable rules or laws for such meeting and (ii) a Meeting Number. For instance, if 
the virtual meeting is for shardiolders of a Conq>any, the virtual meeting host gives each 
shareholder of a record date as sdt by the Board of Directors of flie conq>any, notice of 
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the shareholder meeting and a Meeting Number. In addition, each person au&orized to 
attend the virtual meeting obtains a digital certificate - which may function as an 
encryption key, a digital signature, or both — bom the virtual meeting host 

Each prospective virtual meeting attendee sets iq) their own ''Wtual Minting 
5 Workstation". In some instances, this set 15) niay require flieiiistallation of software 
provided by the virtual meeting host Additionally, if the virtual meeting is to provide 
bidir^onal video, * Vutual Meeting Workstation" may require the addition of a video 
camera. 

If the virtual meeting is conducted in real time, then at the specified time, or 
10 slightly before, the attendees, using their digital certificate from the virtual meeting host 
log into the virtual meeting room specified by their Meeting Number. When the 
number of attendees is sufficient to constitute a quorum, the virtual meeting is called to 
order, 

Iq the instance where the virtual meeting is a shareholders meeting, an officec of 
15 the company calls the meeting to order. Desirably, the notice of the meeting included 
an agenda. Once the meeting is called to order, the agenda is followed. 

When the meeting chair calls br a vote on an item, an encrypted ballot is sent to 
each person attending the meeting electronically. Any one attending the meetmg in 
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person can vote in a traditional maimer. Alternatively, persons in physical attendance 
can be provided with access on site to an electronic vote recording device. 

Persons receiving electronic ballots are given a period of time, say five minutes, 
to cast their ballots. Typically, the time give to those casting ballots electronically is 
6 conq)arable to the time given to those casting ballots in person. 

The electronic ballots, when cast are encrypted and sent to the virtual meeting 
host. As the racryption desirably employs the voters' digital certificate, a digital 
signature, the virtual meeting host can identify each ballot as received and give each 
such ballot an appropriate weight For instance, the ballot fiom a holder of 1000 
10 shares can count as 10 votes whereas the ballot of the holder of 100 shares may count as 
a single vote. 

hi a particularly preferred embodiment, the voter receives an electronic receipt 
recording his or her ballot as soon as it is submitted. 

When the time to submit ballots expires, the virtual meeting host cap announce 
16 the result of the ballot to all persons attending the meeting, electronically or in person, 
concurrently. 

In an alternative q)plication, the convocation of such meeting as set fiarth above 
may be extended over a pmod of days until a quorum is obtained. 
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FIG 3 is a system-level architectural view of how an operational syston and 
method as described herein migjit be implemented. The cUent personal computer 11 or 
PC 11, typically a personal conputer running an operating system such as Microsoft 
Wmdows., which may optionally include a smart card reader 13 connected thoeto, 
5 although this is not rtsquiied. The PC 11 includes network access capabiUty which can 
be to the local area network, or to a global computer network 17. In the case of a global 
computer network 17, the PC 11 would have access to flie global computer network 17 
through, for example, an Internet service provider (ISP) 15, or alternatively, access to 
other parts of the network might be through a direct cable modem, or a local, or a 
10 network attachment to the global computer nrtwodc 17. 

On the SCTver side, there is provided a primary intafece to the entire system 
throu^ a web server 19 in a conventional manner which is well known to tiiose of 
ordinary skill in the art, and which is common to most electronic commerce 
architectures. The web server 19 interoperates with a certificate authority 21, which can 
16 be for example, an enterprise server suite such as that available from Netscape 
Corporation. The certificate authority 21 uses a certificate-generating system, such as 
one like that available commercially under the name iPlanet, vAach. is conventional, and 
which is one of many alternatives which can be used to implemait the functionality 
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described herein. 

In addition, the web server 19 can also interoperate and be connected to a back 
end appKcation or database server 23 and an LDAP certificate directory server 25. 

Respect to die LDAP certificate directory server 25, by way of explanation, it 
6 can provide a certificate such as an X.509 certificate, which is a text file that is used to 
contain information about an individual, together with an encoding of the individual's 
public encryption key to the system described herein. The certificate file is thai digitally 
signed by the certificate authority 21 that issued it If it is desired to use the pubUc keys 
of a number of individuals in an open context, there has to be a way of accessing the 
10 X.509 certificates. This can be done by placing Ihem on a lightweight directory access 
protocol server (LDAP) such as the LDAP certificate directory server 25 shown, 
throu^ which access to those certificates can be provided. For example, LDAP servers 
are provided commercially flnough a number of entities, and it is possible to obtain 
from such servers anoflier party's pubUc key certificate, fi>r example, if it is desired to 
16 provide digitally signed, enoypted electronic mail 

More specifically, LDAP is a protocol on a data architecture fijr storing 
name-value pairs and on an LDAP certificate directory server 25 there would be stored 
certificates, such.as X.509 certificates bound to each individuals' name. 
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With respect to the applicatioii database serv^ 23, it is also conventioiial and 
well known to ftose of ordinary skill in fiie art Such an plication database s^er 23 
can be implemented "sitig Java Servlets or Enterprise Java Beans (EJBs), which are 
typically small packets of functionality to make it easy and more efficient to use fte 

6 more sophisticated Java hnplementation of web server 19 functionality. In operation, the 
web server 19 receives a request for a certain web page and in ttiat web page is a 
reference to some call onto a piece of Java functionality that is written as a Java Servlet 
An architecture known generally as the application database server 23 architecture 
allows the web server 19 to call functionality in the database server using Java Servlets 

10 or EJBs 23. The application/database server 23 is typically a sq)arate machine that is 
specifically optimized to support the invocation of that kind of functionality, encoded, 
for example, as Java Servlets. More particularly, the q}plication database server 23 
allows invoking of precoi]:q)iled and packaged fimctionaUty that is written in the form of 
Java Servlets, EJBs, or some other type of reusable component 

15 hi the case of the present system and me&od, tiie reusable functioiutlity will 

involve, for exan^le, delivery of a ballot, ^ch can be either in the form of an HTML 
or XML document, or for enhanced security as will be described hereafter, in the form 
of a bit-map. 
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Thus, vibsa a user interacts wifli the web server 1 9 fifom their PC 1 1 , a S^let, 
or one or more EIBs, processes the request for the user to repster with flie system, 
including a request to cast a ballot. The Servlet or EJBs that are invoked present the 
ballot to the user, and handle the interaction with the user in flie course of casting the 
5 vote. 

If it is desired to look at the results of an election, another Servlet or a difBaent 
set of EJBs can be invoked to siq)port tiiat functionality. As may be predated by those 
of ordinary skill in the ait, fine-gramed packaging of functionality can be defined 
dq)cading on the c^abilities to be implemented as described hereafter. 

10 In one in^lementation, a Transfer Agent 27 may also be tied into the systan 

and would be responsible for the registration of individuals who are legitimately, legally 
allowed to vote in a meeting of a Particular Company, One way of conducting the 
registration is the conventional interacting in person with the Transfw Agent, or througih 
conv^tional mail. It is contemplated herein that such registration could be 

15 accomplished over the network, such as flie global computer network 17, In a msamst 
that it maybe desired to have an electronic interface to the Transfer Agent 27, 

As will also be ^^preciated, in the case of implementing an interfiace with the 
Transfer Agent 27, some kind of X-509 certificate exchange as discussed previously 
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could also be implemented, and tiie use of certificates would serve to authenticate any 
sort of interaction with ftie Transfer Agent 27. In addition, if an individual submitted a 
registration or request, it could be digitally signed and thus would require the 
individual's public key certificate in order to validate the signature. 
6 fii all cases, it would be required to digitally sign some electronic document, 

and the distal signature would have associated with it a well-known identity which can 
be looked iq> on a smer such as an LDAP certificate directory server 25 to obtain the 
public key certificate corresponding to the claimed identity, and to then verify that the 
digital signature is actually a signature that could only have been generated by the 
10 individual having the claimed identity. 

This is all standard public key infirastructure technology and weU known to 
those ofordinary skill in the art. In the case of the Transfer Agent 27, this could be 
done through a certified agent for registering the voters, and diere might be several 
methods by vA^ch such agents could be implemented and authorized by the Transfer 
15 Agent 27. Irrespective of what system is implemented, the agent would be acting as a 
ftont end to the Transfer Agent 27, and proxying the registration to them, and so, it 
would have to be legally authorized to do so. 

While on die server side a number of different individual fimctional 
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components are shown, it will be qypieciated as an altonative that ail the fimctions can 
be inq)lemented on a single server, or dq)eading on the size of the system, the fimctions 
can be allocated to separate servers which themselves may be rq>licated This is an 
alternative architectural approach well known to those of ordinary skill in the art, and 
5 only for the sake of clarity has the system been shown in FIG 3 as separate boxes, 
which could be co-located on a single machine or duplicated or rqplicated on multiple 
boxes depending on the load and degree of redundancy and tolerance desired 

FIG 4 illustrates in block diagram form the data and information flow which 
will occur in a system and method as described hereiiL The components of data flow are 
10 shown divided by a dashed line 45 which separates flie client 41 side which relates to 
the individual and the individual's PC, and is separated ftom ttie sorver 43 side. 

A ballot 51 is shown on the client 41 side which has been delivered from the 
server 43 side and can be some form of electronic document The document can take 
various forms but for purposes of the description herein, the ballot 51 is assumed to be 
16 an HTML form document, although more secure type and mitanq)erable documents 
such as bit-map representations can also be deployed in accordance with the system and 
method. 

The difficulty in building a system and method for such voting is being able to 
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verify that only a single individual can cast aballot, fliat they can cast only one ballot, 
and that it cannot be tanapered wiQi or undetectably altered or detected in any nianner. 
FIG 4 illustrates the Ksential inq)lementation for being able to achieve tiiese goals. 

The ballot 51 is delivered, for exanq)le, to the home PC 11 througji tihe web 
5 server 19 fiom the application database server 23, all of which were previously 
d^bed with respect to HG 3. Using the home PC 11, throu^ a web browser, an 
individual can go through and make selections on the ballot, and after pressing enter or 
casting the ballot, the individual's PC 11 transmits back a subset of that form consisting 
of the ballot choices and the voter's digital signature of the ballot choices, DS(B,c). 
10 Thus as is shown in FIG 4, in the top arrow line ficom the ballot 51, the 

selection is delivered as a representation to the server side 55. The ballot and response 
values are structured in a way that it is easy to read the response values and d^ennine 
which issues or offices were being voted on, and what the selections were. Those values 
are parsed and stored into a relational database, the structure of which will be described 
15 hereafter with reference to a separate figure. When the ballot is received on the server 
side 43 as shown by the dadied line box 53. the server conq>utes DS(B.8), a digital 
sigoature of the ballot using the server 43 private key. 

In FIG 4, in labels such as DS(. . . ,C) or DS(. . . ,c), an tq^per case letter means 



33 



wo 2004/059550 



PCTAJS2002m41357 



a public key, and a lower case 1^ means a secret or private key, so tiiat in any 
particular block, this refers to the fact that when a ballot is received, the server create a 
digital signature of the ballot using tiie server's secret or private key. On the client 41 
side, when an individual casts a ballot 51, the client 41 side creates a digital signature of 
S the ballot 57 using the individual's secret or private key. Thus, both of Qiese signatures, 
one created by the individual, and the other created by the server, can only have been 
created by the respective entities because they are both signatures that are created using 
the respective secret or private keys. 

The individual's signature of the ballot is then delivered to the server 43 side 
10 where it is combined with three other elements at block 59. Specifically, the server's 
signature 53 is combined with the individual's signature 57 along with a vote serial 
number (VSN) which is, for example, like aballot serial number and can be an arbitrary 
number that goes from one to infinity The vote serial number can be generated per 
election, and has no relationship to flie voter, and is just an incidental sequence number 
15 that indicates a vote delivered in the election. Those fliree elements are then digitally 
signed by the server yielding DS(C,s), and the four combine into an aggregation of core 
conq>onent8 ^ch is a ballot confirmation token. This allows confirmation that a 
particular ballot has been retained in the system and no tanqiering has occurred. That 
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token is tfa^ transmitted back to the individual as a confirmation token 61. The 
confirmation token 61 can flien be encrypted witii tiie individual's public key, thus 
rendering it undecipherable to anyone excq)t the individual 

Such encryption is not mandatory but may be desirable, depoiding on other 

5 specific implementations of the systan and method. For purposes of the disclosure 
herein, it is noted dial while the term "token" is referred to, it could be characterized as a 
data element which is die signature confirmation by the server, in particular, the 
confirmation which has three components and a distal signature. Thus, by tying these 
co^^)onents togedier, and having the server sign the conq>onents, if later on someone 

10 submits the confirmation, the server can verify that the confirmation was issued by the 
servCT, mtTiimiT^ng the possibility that confirmations can be forged* 

On the server 43 side, the server's digital signature is also recorded along with 
the vote or ballot as shown at block 55. If it becomes desirable to verify that all of the 
ballots cast in die election have be^ untampered with, that can be done on the server 43 

16 side using only the contents of the database and the server ballot signatures which have 
been recorded in the data store. 

This is further illustrated by anew 63 which illustrates universal verifiability. 
More specifically, a search is conducted through the database in a manner indexed to a 
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vote serial number, and for each vote serial numba:, a ballot is reconstructed The 
reconstructwi ballot has no identification bade to ttie voter and is completely anonymous. 
However, the ballot responses are the same as those fliat the individuals genoated ^en 
the ballot was cast A digital signature can thoi be areated over the reconstructed 

5 ballot using the server's public key, and that signature can be verified against the 
signature fliat was recorded when the individual cast the ballot that was created using 
the SCTver's private key. Thus, the arrow 63 represents die validation of the server's 
ballot signature created with its private key, against the scalper's ballot signature that was 
generated from the reconstructed ballot using flie server's pubUc key. This can be done 

10 for all of the ballots stored in the system, and thus, it can be verified that none of the 
ballots have been tampered with at any point in time after a ballot has been cast This 
is referred to as universal verifiability, which refers to the property tibuit allows for 
verification that for all voters none of the ballots have been forged, deleted or altered. 

Consider now the case where an individual would want to connect to the 

15 system, i.e., on the server 43 side to determine if their ballot vote is properly recorded. 
In such a case, die individual can present vote confirmation 61 through a transmission 
67 to the server 43 side. Of course, the individual will have to decrypt the 
confirmation 61 as previously discussed using their private key. The confirmation is 
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thea presented to ^ system which decon^Mses the confiimation into four components, 
whidi are represented by blocks 69, and have been previously discussed with reference 
to blocks 59 and 6L 

The digital signature on that confirmation can then be recomputed, and it can 
5 be verified that the confirmation has not been altered Having done so, the vote serial, 
munber can tiien be retracted bom the confirmation, and the database can be indexed to 
allow reconstruction of the voter's ballot exactly as cast. 

The two horizontal arrows 71 and 73 illustrate what is known as individual 
verifiability. The server's ballot signature can be extracted out of the confirmation and 
10 validated against the server's ballot signature that is generated torn the reconstructed 
ballot. This is demonstrated by the exchange which occurs through arrow 71. The 
individual's ballot signature that was computed using the individual's private key can 
also be validated by the comparison represented by arrow 73 against the digital 
signature that has taken over the reconstructed ballot using ttie voter's public key. This 
15 can be done because the conamunication between the individual and the server is 
protected, as illustrated later in FIG 5, by a secure socket layer (SSL) connection 101 
tiiat provides ten:q)orary access to the individual's public key. 

In &ct, in such an implementation, the public key of the mdividual on die 
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individual's end of the connection can be obtained outside of the system and once it is 
known what flie individual's public key is, the requirement for an LDAP certificate 
directory server 25 to obtain the public key can be eliminated 

As may be appreciated from the discussion of individual verifiability, in 
6 contrast to universal verifiability, individual verifiability provide two ways of verifying 
by using either the server's digital signature or the individual's digital signature on the 
ballot 

FIG 5 shows in greater detail the general architecture shown m FIG 3, and the 
data flow shown in FIG 4. Specifically, the upper part of FIG 5 shows the various 

10 components of the system along with boxes showing the data flow, with the lower 
portion of FIG 5 showing in greatCT detail tihie various resultant tables assembled with 
ballots ftat have been cast 

A smart card reader 13 can be implemented connected to an individual's PC 11 
on a smart card 103 which is read by the smart card reader 13, and can have stored 

15 thereon an individual's private (or secret) encryption key. A certificate such as an 
X.509 certificate for their public key, and their voter identification numbw which is an 
arbitrary sequence number generated when they register with flie system, can also be 
stored on the smart card 103. The individual's PC 11 will typically be running a 
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Standard wd) browser 105, such as is commercially available fipom Netscape 
CorporatioB, and inside the web browser 105 is a Java soipt interpreter 107 with ttie 
ballot 51 presented within flie web browser 105. Althou^ the ballot has beoi previously 
described, and is iUustrated in FIG 3 , as an HTML or XML document, it can also take 
5 other forms such as abit-mq), if enhanced security is desired. 

While a personal con^uter 11 has be^ shown with a standard commercially- 
available browser 105, it may also be qypredated that such browsers are oftoi not 
sufficiently secure. Thus, as conten5)lated herein, it is also possible to inq)lement in a 
manner well known to those of ordiriary skill in the art, a non-commercial browser 
10 which avoids the security pitfeUs of currently-existing commercial browsers. 

More specifically, it is common fi3r malicious software to read/modify sensitive 
fil^ on unsecure personal computers. Such unsecure personal computer platforms can 
include those yMch are Intel processor/Microsoft Wndows operating system, or Apple 
Macintosh operating system-based. Specifically, in such commercial systems, the 
15 security ends at the client As a result, the aitire system may be vulnerable to attack 
by malicious software executing within the individual's PC. With no individual 
platform security mechanisms, such attacks could detrimentally impact information 
confidentiality, integrity, au&enticity, or availability within the overall sj^em. 



39 



wo 2004/059550 



PCTAJS2002/041357 



la order to address sudi a problem whidi may be mheroit in a conv^onal 
commercial web browse, aud with ballots such as an HTML or XML documoit ballot 
S 1, a protocol can be implemented that combines anonymous context, and visual 
obfiiscation to make it virtually impossible for malicious software to knowledgably and 

6 undetectably interfere wifli a concurrently executing individual PC application in order 
to inqpact information confidentiality, integrity and authenticity. 

In accordance with the specific inq)lementation of such security as 
contemplated herein, and as will be readily parent to those of ordinary skill in the art, 
cryptographic techniques, protocols and data rqiresentation can be iniplem^ted in 

10 order to increase the work required of malicious software beyond what can be 
accomplished widiin a voting session at an individual's personal computer 11. 
Specifically, implem^tation of visual obfiiscation is intended to defeat the ability of 
malicious software to determine or alter network content Such a technique would 
include but not be limited to variation of text, font, size, spacing, etc. The wording of 

16 the text associated with ballot choices, the location of graphic components, the stu^e of 
image of choice/selection targets, explicit or implicit relationships between gr^hical 
elements, and in some cases, color, can also be implemented in an obfiiscating maimei: 
In addition, a technique for converting content in HTML or XML format to image 
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fonnatcanbe eji5)loyed as will be readily apparent to those of ordinary skill in the ait, 
making it diflBcult, with current OCR algpritiuns to intercept and alter the limited ballot 
information bdng transmitted. Such OCR techniques are generally processor intensive, 
and thus attaqpts by malicious software to alter or interpret such ballot mfonnation 
6 would be readily detected 

Thus, as shown m die FIG 5 a voter ID and the pub lie key o f the individual is 
transferred at 118 over an SSL connection 101 to the web server 19 on the server 43. 
The server side 43 which includes a number of function boxes assembled as one box 
109. The web server 19 which mcludes an execution environment for Java Servlets 111 
10 flien sends a ballot 119 obtained fiom a collection of ballots 113, to the individual PC 
111 through a transmission 119. The individual then marks the ballot and returns the 
ballot as shown with arrow 121 with the choices thereon. The confirmation shown as 
block 61 is then returned as shown by arrow 123. 

It will be qjpreciated that within the collection 109 of function boxes, sqjarate . 
15 fimctionality and information is provided, for example, fiom the collection of election 
ballots 113, vote serial numbers 119, and certificates 117, diaracterized preferably as 
X.509 certificates. In the Figure, block 115 is typically flie application database server 
23 shown in FIG I and serves to compile the election votCT table, election database and 
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Optionally, a voter demogrq)hics database, all of which will be d^aibed hereafta- wiA 
reference to the lower half of FIG 5. 

More specifically, the lower half of FIG 5 iUustrates how the various pieces of 
information/data are assembled. At block 151 it is seen that to provide voter 
5 anonymity, while retaining non-repudiation and election integrity, ballots are re-signed 
by the server before appending to te election database. In this case, at box 151, flxere 
are reflected the choices the individual ballot items that the individual voter casts a vote 
for, and are stored m an election results table 157. 

Table 157 conceptually includes four columns. The first colunm is the 
10 election in which the votes are cast A separate database can be created per election 
but could also be done in this manner. The table 157 is indexed by the vote serial 
numbor (VSN), the issue or oflBce being voted on, and the choice the individual makes. 
Thus, this is the table in which the ballot choices are stored. The voter's serial numbo: 
is also stored in a table 155 which is an election verification table. The purpose of this 
15 table is to retain the digital signatures that protect flie integrity of the ballot and the 
election vmfication table has at least three columns and perh2?>s ofliers. The election 
verification table is indexed by the vote serial number. It mcludes a column for time 
and a column for the digital signature. Optionally, demogr^hic data could also be input 



42 



wo 2004/059550 



PCTAJS2002/041157 



into (he election verification table 135 as long as this infonnation would not, tbrougji 
inference or aggregation, divulge tiie voter's identity. 

On tiie left side is shown the election voter table 1S3 wMdi is a hash^ table 
that in order to achieve the qspropriate voting vedfication, to ^isure that individuals can 

6 vote in accordance with thdr voting rights, provides that the voter identification or ID is 
•encrypted or hashed using a one-way transform. One option is to employ an encryption 
using the individual voter's public key, but any one-way transform would work. The 
contents of the table 153, since fliey are generated by a one-way hashed function are not 
reversible, so it is impossible to look mto the table to see who voted. However, if an 

10 individual tries to vote more than their £q)propriate voting rights, the hash entry will 
collide with any additional attempt to vote, and thus, there is provided a way of 
detecting a subsequent voting attempt widiout divulging anything about the identity of 
the individual. 

Turning now to FIG 6, there is illustrated in block diagram form a large-scale 
15 production voting system architecture. Registration clients 201 at ttieir personal 
computers are shown as able to register &rou^ connection through the global compute 
network 205, througih a voting firewall 207, web severs 209 and application database 
servers 211, ^ch may be ultimately connected to a Tiranafer Agent system 22L The 
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TransfCT Agent system 221 may provide registraticm infinmation to a registration saver 
215 which cooperate as previously described with certificate directory servss 219, and 
certificate authority servers 217, and in ccoporation witii the other elenents to allow 
delivery of a ballot to voting clients 203 to accomplish voting as previously described 
5 hereiiL 

In the context of the present invention, tiie term "electronic transmission" 
means any form of communication, not directly involving flie physical transmission of 
paper, that creates a record that may be retained, retrieved and reviewed by a recipient 
thereof and that may be directly reproduced in p^er form by such a recipient throu^ 

10 an automated process. 

In yet another embodunent of the present mvention, the organization 
wishing to hold the virtual meeting provides each of the eligible participants with a 
device that permits its holder to be recognized as an eligible participant For instance, 
the organization might provide each eligible participant with a card that can be read by a 

16 CD-ROM drive and contain a 'Ice/* that enables its holder to have access to the 

meeting. Alternatively, the organization mi^t provide each eligible participant with a 
US J. device that encodes a 'Tcey" that enables its holder to have access to the meeting. 
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We claim: 

1. Amethod of conducting a meeting conqjiising the stq>s of 

A. Notifying potential meeting attoidees of said meeting, said 
notification including a notice that conqjlies with any qjplicable requironents, an 
agaida, and a digital certificate that is sufficient to authorize their attendance at an 
electronic meeting space reserved for said meeting; 

B. Providing said electronic meeting space; 

C. Checking the digital certificate of any person seddng admission to 
said electronic meeting space and only admitting persons having an appropriate digital 
certificate; 

D. Monitoring the attendance in said electronic meeting space and any 
associated in-person meeting space and when a quorum of attendees is reached, calling 
said meeting to order, 

E. Providing an orderly electronic discussion among the persons in 

attendance at the meeting; and 

F. Delivering, collecting, and tabulating encrypted electronic ballots to 
those persons attending the meeting electronically 
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2. A system for conducting a virtual meeting conqiiising 
[a] a computer having: 

associated memory and processing means for executing at least one 

program fiom said associated memory» 
at least one communication link that can send electronic signals to, and 

receive electronic signals fiom at least one remote user 
said at least one program including a meeting hosting program that 

receives instructions fiom users logged onto said con^uter and 

transmits such instructions to odier users concurrently logged 

onto said computer, 
said at least one program including a authentication evaluating program, 
and 

said processing mms executing said authentication evaluating program 
to enable, said computer to evaluate the whether a remote user 
seeking access to said conq)ut^ is authorized to have such 
access. 

3. A system according to claim 2 further conq)rising: 

a means for providing any authenticated users logged on to said 
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conq)uter witii proceedings from at least one physical meeting 

space concurrent wifli said virtual meeting. 
4. A system according to claim 3 in ^ch said means for providing users wifli 
proceedings includes at least one of the groiq) consisting of a camera means and a 
microphone means. 
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